Finding your first job in cyber security: A guide for computer science and technology graduates

Just finishing a degree in computer science? Interested in switching jobs? You may want to strongly consider a career in cyber security. Although most technology graduates are sought after these days, cyber security professionals are particularly in high demand. Both the UK and US governments are hiring cyber security professionals. The private sector in both countries and in many countries around the world is hiring professionals with the requisite knowledge and skills to help fend off growing cyber security threats.

Why is cyber security a valuable career path? Just take a look at the following numbers:

If you are close to graduating or recently graduated with a computer science degree, you may want to consider trying to land your first job in cyber security. The number of unfilled jobs in this area continues to increase, with no foreseeable drop-off in the immediate future. More importantly, however, is the fact that this career path already has a million unfilled jobs. Corporations, businesses, and governments cannot seem to fill all of their open positions. This is a troubling trend, especially considering the growing number of cyber criminals and the growing threat of cyber crime.

Finding your first job in cyber security should be easy enough with so much demand. However, you’ll want to make yourself attractive to employers before you graduate and enter the job market. How you prepare will also be influenced by what type of cyber security job you’re looking to get into.

Common cyber security jobs

Before applying for cyber security jobs, it’s good to know what’s out there for this expansive profession. The following jobs are the most common for cyber security professionals entering into the field, with the average salaries (from Glassdoor, ITJobsWatch, and PayScale) for each in the US and UK:

Knowing ahead of time which jobs you might apply for matters. While most cyber security professions do require a similar set of skills, most will have certain upfront requirements that you may not meet. When that happens, you’ll likely have one of two primary options: Gain the requisite knowledge before you apply, or acknowledge your lack of training, but apply anyway.

The first option might seem like a better one, but don’t jump to too many conclusions here. Cyber security jobs are still incredibly hard to fill. If a company believes that you have a good technical foundation, they may be more than willing to hire you for the job and help you get the rest of the skills you need to perform those job duties in full.

If you’re graduating with a degree in cyber security (typically a Master’s), you’re likely to have more options than someone who is graduating with a more general computer science degree. There are some key differences in what coursework cyber security graduates obtain that sets them apart. In particular, cyber security graduates may be more likely to find jobs as Intelligence Analysts and Cyber Security Engineers by the simple fact of having the type of education that’s geared more toward those jobs.

Computer security jobs cover several core skills areas, but they are far from the same. And when applying for your first job in cyber security (or one you’ve always had your eye on), you might want to avoid sounding like you’re not talking about the correct field. You’ll see the computer and internet-related security fields come with a lot of different titles: internet security, network security, cyber security, information security. It’s easy to assume they’re all the same thing, but understanding the nuances between them may place you further up the list of potential applicants.

Network security and/or cyber security

IT and networking leader Cisco states that “network security” is “any activity designed to protect the usability and integrity of your network and data.” That protection includes both software and hardware solutions. It’s best to think of network security as security efforts designed to help ensure that the network is strong from the inside, and focuses its efforts on ensuring that the “castle walls” are strong.

According to Cisco, network security includes all of the following types of measures and controls:

Access Control

Antivirus and Malware Software

Application Security

Behavioral Analytics

Data Loss Prevention

Email Security

Firewalls

Intrusion Prevention Systems

Mobile Device Security

Network Segmentation

Security Information and Event Management

VPN

Web Security

Wireless Security

Undoubtedly, of the many computer-related security branches, network security is perhaps the largest. And as you might notice, while network security primarily focuses on activities that occur within the network, it’s designed around keeping malicious actors from accessing those networks. A large focus for network security is on looking at how individuals within the network are working with and accessing the information or resources. After all, there’s no point in having internal security measures in place if someone on the inside with rights access is giving it all away (or acting against the network themselves).

Cyber security and network security can generally be used interchangeably. However, it may be wise not to use the term information security when referring to the above.

Information security

Where network security is more centered around preventing unauthorized access to a network or misuse of that network from within, information security is more singularly focused on preventing information from falling into the wrong hands. Quite understandably, information security (often called “infosec”) and network security have a lot of overlap. For example, some of the same software used by network security professionals will also be used by information security professionals.

That said, information security professionals, who may also be called “data security” workers, are often concerned about the acronym C.I.A: Confidentiality, Integrity, and Availability of data. For infosec professionals, this means that network architecture is not so much important as it is making sure that the data within that network is protected, viable and accessible for users, as well as kept out of the hands of individuals who might abuse that data. Infosec professionals will, therefore, be far more concerned about what happens to the data after a data breach and will spend far more time concerned about data stored on the servers.

All of that taken together, however, cyber security/network security and information security are increasingly falling under the same banner. Still, there are some differences you may want to consider when looking for jobs, as most security jobs will eventually require you to specialize in a few key areas. Much like any other area of study, the entire field is a bit too broad for one person to easily become an expert in all facets. You can, however, focus more on data security or more on network security as your primary field of expertise.

How to get into the cyber security industry

Source: “Hackers” (1995), a film about teenaged hackers.

Perhaps one misconception with cyber security is that the only individuals hired into this industry were former hackers or those who have been poking around networks since they were in diapers. However, anyone can get into cyber security by acquiring the proper training and education.

Direct route: Obtain an undergraduate degree in a computer-related field

Of course, not all computer-related undergraduate degrees are going to help give you immediate access to a cyber security job. Health Informatics, for example, is technically a computer-related field. But unless you decide to tack on a double major or a minor in computer networks, selling that degree to a cyber security firm might be a bit difficult unless you already have other networking and security skills you’ve developed on your own.

Computer science degrees and computer engineering degrees, in general, are the best route. Within these two realms, you’ll find specializations that will help land you different cyber security jobs. Among the best degrees you can earn, which may be more or less applicable to the type of cyber security jobs listed above, include:

Artificial Intelligence

Computer Architecture and Engineering

Computer Security and Cryptography

Computational Science

Computer Networks

Databases and Information Retrieval

Information Science

Programming

Software Engineering

Hardware Engineering

Concurrent, Parallel and Distributed Systems

For those still earning an undergraduate degree, valuable courses may include, but are not limited to, the following examples:

Second route: Obtain a graduate degree in cyber security

If you graduated with a Bachelor’s degree in computer science, but want to get a more specialized degree in cyber security, a Master’s degree program is a good idea. More importantly, if you obtained an undergraduate degree in a field outside of computer science or computer engineering, a graduate program may be your best option.

Think of Master’s degree programs as similar to professional trade schools. While undergraduate degrees do provide some basic knowledge that may be desirable for employers, those with a Master’s degree in a specialized field are often more attractive hires. For cyber security, even if your undergraduate degree was outside of the field, a Master’s degree in a cyber security can help get your foot in the door. You may need to provide more evidence toward your skillset if you went straight into a Master’s program without getting work experience first, but the degree will help land more interviews and potential job offers.

Master’s degree programs in cyber security are fairly easy to find. Online programs are extremely popular, although in-person classes do maintain more reputability, despite the growth in online options at even some well-respected institutions.

Third route: Obtain a cyber security certificate

If time and money are a constraint for you, consider obtaining specialized cyber security certificates or those that would be related to the field. Certificate programs are as common as Master’s degree programs. Although they often target individuals already working in cyber security who are hoping to obtain different specializations, they are generally open to anyone for enrollment.

Those who have no programming, security, or networking background can benefit from gaining different certificates. However, doing so might require noticeable legwork on your part. These certificate programs usually have no prerequisites, but the laser-focused nature of these programs may make keeping up more difficult for individuals with little to no experience. Nevertheless, many programs exist that can help build the requisite knowledge from the ground up.

Certificate programs, much like Harvard’s, typically require students to choose a smaller selection of classes to earn the certificate. In Harvard’s case, students are required to take two courses to earn the certificate.

Valuable certificates for cyber security newcomers

If you’re looking at the certificate route as your point-of-entry, consider obtaining a variety of certificates from the Computing Technology Industry Association (CompTIA) as a way to build up your knowledge and experience. CompTIA is an industry-neutral trade organization that offers certificates for a variety of skill levels. CompTIA provides programs that can help newcomers build the requisite certificate history to land a career in the industry.

Valuable certificates for those with computer science, engineering, and networking backgrounds

If you already have some background knowledge or experience in computing, networking, or security, the following certificates may be what you’re looking for to better enter into the cyber security industry:

Cisco Certified Entry Network Technician (CCENT). This Cisco certification goes into more depth than the CompTIA Network+. It’s known to be difficult but may provide someone with the prerequisite knowledge an advantage when it comes to cyber security job applications. Cisco provides this certification directly.

Certified Information Systems Security Professional (CISSP).Administered by the independent Center for Cyber Safety and Education (Formerly ISC2), the CISSP is one of the most respected infosec certifications. The certificate focuses on security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security. These are considered the Common Body of Knowledge for cyber security professionals. ISC2 delivers this certification directly. A 4-year degree in computer science or computer engineering can be used as a waiver to bypass the 5-year minimum work experience normally required.

Cisco Certified Networking Associate (CCNA). Cisco offers a number of certificates geared toward those with enough experience to allow for very specific specializations. CCNA certificates are offered in cyber ops, routing and switching, security, and several other key areas. The benefit to these certificates is that there are no prerequisites, although acquiring the certificate may be difficult for those with no prior experience in computing. Cisco offers these certificates directly.

Who’s hiring cyber security professionals?

While most large companies and many government organizations are hiring cyber security professionals all the time, some of the most notable include:

Many of the larger companies also target recent graduates as well with career-building jobs. These will often start out with a lower salary, but come with the benefit of more on-the-job training to help new employees gain the skills needed by the company.

Some companies and organizations offer scholarships

Not yet trained in cyber security? The need for new professionals is so great, some companies and many independent organizations offer scholarships to anyone who wants to work in the industry.

Notable scholarships for all learners:

Cisco opened up a program in 2017 that almost immediately filled up. The company offered $10 million in scholarships to those willing to take a 3-course study in cyber security. The company promises to open up the program again in 2018 for new applicants.

The National Security Agency offers generous scholarships to undergraduates through its Stokes Educational Scholarship Program. Those going into this program must be in computer science or computer engineering degree programs and must agree to work for the NSA after completion.

The US Office of Personnel Management offers a Scholarships for Service program for undergraduate and graduate students who intend to work for the federal government. This program covers both college costs and pays a stipend.

The Science Mathematics & Research for Transformation (SMART) scholarship is an interesting option for several reasons. First, it’s delivered by the U.S. Department of Defense for anyone pursuing a STEM graduate or undergraduate degree, including computer sciences and information sciences. The program also accepts applicants from several close U.S. allies: Australia, Canada, New Zealand, and the UK. Successful applicants must be willing to accept a job working for the DoD after graduation.

Microsoft offers tuition scholarships for undergraduate students pursuing degrees in computer science, computer engineering, or STEM fields related to either of those two. The scholarship covers part of the tuition for one academic year and is open to students in the US, Canada, and Mexico.

Notable scholarships for women and minorities:

Several organizations (ASCA, Hewlett-Packard, Symantec) join together to provide interested women with the Scholarships for Women Studying Information Security. This scholarship is designed to provide up to $10,000 per accepted applicant to cover the costs of studying in and entering into cyber security professions.

Google offers their Women Techmakers Scholars Program for women interested in technology careers. This includes cyber security or information security degrees. The program is open to applicants who identify as female and live in North America (US, Canada), Europe, the Middle East, Africa, and Asia Pacific.

The Women in Defense organization offers their HORIZONS Scholarship for women who want to pursue careers in national security or defense agencies. This is designed to cover any woman who want to obtain a degree in cyber security and who intend to work for a defense agency.

IBM and the American Physical Society offer an internship program for both women and underrepresented minorities. While not a scholarship, these are paid internships to work for IBM while an undergraduate student and gain valuable experience in the process.

The Society of Women Engineers offers several different scholarships for women pursuing STEM degrees. This includes computer science and computer engineering, cyber security and information security-related degrees. In 2016, the organization offered $750,000 in new and renewed scholarships.

More such scholarships exist as well. Many companies are willing to pick up the cost for those willing to work for them after graduation. This may require you to contact a company directly and inquire about any such opportunities. However, diligence is generally required even with the large demand for cyber security professionals.

Additional scholarships can be located using major scholarship databases, such as the following:

Stay Active in the Cyber Security Community

The cyber security community is not only large but continues to grow every day. Becoming an active participant will not only help you keep up with this quickly-changing industry, it may help you land a job. One Comparitech writer, Lee Munson, found his way into the cyber security field by keeping an active blog, posting on LinkedIn, and closely following industry leaders. You can read more about his journey here.

The size of the industry does mean that there are a very large number of personal bloggers, industry-facing websites, forums, and other web spaces. Here are some of the best places on the web for cyber security newcomers, broken down by category.

Interesting Blogs

Darkreading.com

One of the highest-ranked cyber security websites on the web, Dark Reading focuses on all aspects of cyber security, with special attention on attacks, app security, cloud security, data leaks, privacy, and a lot more. Follow them on Twitter @DarkReading.

Krebsonsecurity.com

Digital Guardian calls Brian Krebs a “household name in information security.” His site’s rankings and most infosec professionals would likely agree. Krebs worked for The Washington Post for over a decade and authored over 1,300 articles for their Security Fix blog. You can follow him on Twitter @briankrebs.

Threatpost.com

Security company Kaspersky runs its own cyber security news website called Threat Post. Considering this comes directly from Kaspersky, it shouldn’t be a surprise that the site is very popular within the security community. You can follow them on Twitter @threatpost.

Andrewhay.ca

Andrew Hay is Senior Security Research Lead & Evangelist at Open DNS. He offers up his insight and years of experience on his blog. You can follow him on Twitter @andrewsmhay.

Schneier.com

Cryptography expert Bruce Schneier is well-respected within the cyber security industry. His blog, Schneier on Security, has enjoyed 10 years of growth, focusing specifically on security and privacy matters important to the industry and consumers. Schneier is the Chief Technology Officer of IBM Resilient, an incident response company. Follow him on Twitter @schneierblog.

Emergentchaos.com

The fun bloggers at Emergent Chaos provide a bit of entertainment to the educational value in this blog. Those new to the industry might find a lot of use in following the posts here, and even in digging through old posts about various topics in cyber security.

Elie.net

Leading Google’s abuse response team, Elie Bursztein is a young but talented cyber security professional with a bit of an eccentric flair. Bursztein is an ethical hacker who works with Google to help invent new ways to prevent cyber attacks. His blog posts often focus on his work. You can follow him on Twitter @elie.

Grahamcluley.com

Graham Cluley has his finger on the pulse of the infosec industry. He’s often first covering major topics related to cyber security and privacy, making him a go-to source for those keeping up with what’s happening in the industry. You can follow him on Twitter at @gcluley.

Elearnsecurity.com

Newcomers can go to eLearnSecurity to not only brush up on their IT know-how but to get some good insight into the industry. eLearnSecurity maintains an active blog with posts that should help newcomers get a good grasp of what’s happening in cyber security. Most of the posts focus inwardly on eLearnSecurity’s products and services, but many will still provide value for interested parties. You can follow them on Twitter @elearnsecurity.

Nakedsecurity.sophos.com

Cyber security company Sophos offers up an industry-focused blog that’s a good source for both newcomers and professionals alike. The Naked Security blog is a great way to stay abreast of the latest concerns and issues happening within cyber security—perfect for before you head into your first interview. You can follow them on Twitter @NakedSecurity.

Helpful forums

This Reddit community for internet security professionals is a great source, especially for those looking for work. /r/netsec often posts hiring threads for those who are looking for work, and for those who are either hiring or know of companies that are hiring internet security professionals. This community has over 180,000 subscribers.

A great place for any undergraduates or graduate students alike, or even self-learners, this subreddit is designed for those just getting started in the internet security industry. This subreddit only has around 20,000 subscribers, so it’s a bit less active, but filled with good discussions and helpful moderators. It’s useful as a tool to help find where to get started with network security.

Another great starting point for newcomers, this Reddit forum is designed for just what the name would suggest: Asking questions about network security. You’ll find that the somewhat small community is very friendly and a great place to go to for advice.

Stack Exchange is a great place with a limited number of communities. One such community is all about information security. Stack Exchange works differently than Reddit, although it’s still a fairly open community. Ask questions, get answers, and find the best answers voted to the top. You can easily browse, but you can also engage to get valuable information.

The Hack Forums is a forum website designed around hacking, with a special emphasis on white hat, or ethical hacking. Anyone interested in ethical hacking, security, and software vulnerabilities should spend some time here reading forum posts and discussions.

Keep up with cyber security news and concepts

Cyber security is a constantly changing field. Even the most well-known professionals in the field keep up-to-date with the latest news and important literature that help define the field. As a newcomer entering the industry, you’ll want to make sure you’re also well educated on major concepts and maintain a steady stream of knowledge as the industry changes.

Notable mailing lists and newsletters

The U.S. Computer Emergency Readiness Team provides mailing lists that help keep industry professionals up-to-date. Lists include alerts on security issues, vulnerabilities and exploits, bulletins covering vulnerabilities and patches, tips on common security issues, and current activity around the industry. Individuals can sign up via RSS feed.

Cyber security training institute SANS provides several newsletters to help readers stay informed on cyber security issues. Their newsletters include OUCH!, which is designed for common users; @RISK, which covers new risks and vulnerabilities; and SANS Newsbites, an executive summary of major headlines in cyber security from the past two weeks.

Def Con is not a single list, but a website you can use to find a large number of different cyber security lists. Def Con provides detailed information about each mailing list, including volume and frequency.

Although a small list, Security Awareness provides excellent, high-quality infosec mailing lists. The lists are simple to sign up to via email.

Important and notable books

Cracking the Coding InterviewBy Gayle Laakmann McDowell

A best-seller for software engineers looking to land their first job, this is an important read for any potential security software engineers. McDowell covers the process both as someone who has been through the process as an interviewee and as an interviewer.

RTFM: Red Team Field ManualBy Ben Clark

Consider this book your best friend if you’re headed into ethical hacking or cyber security in general. The Red Team Field Manual provides a valuable reference for Linux and Windows syntax, including the most difficult to remember tools, values, syntax, and scripting.

BTFM: Blue Team Field ManualBy Alan J. White

Similar to the RTFM, the BTFM is designed for individuals working within the NIST Cybersecurity Framework and focuses on the five core principles: Identify, Protect, Detect, Respond, and Recover. The book is for anyone who wants practical information on how to handle cyber security incidents and should be considered essential for anyone who wants to work as an incident responder.

Hacking: The Art of ExploitationBy Jon Erickson

This must-have book helps guide those with some security knowledge through the hacking process. The book focuses on the thought process behind hacking, with some hands-on hacking methods for a variety of different purposes.

Data and Goliath: The Hidden Battles to Capture Your Data and Control Your WorldBy Bruce Schneier

Bruce Schneier has several books available. This includes his exploration of cyber threats in the modern world. This book provides a good grounding for cyber security professionals who want to gain a broader understanding of the on-going cyber threats to individuals and companies.

Python hacking is among the most common hacking methods. As such, Jason Seitz’s book is a perfect primer for information and network security professionals, as well as anyone interested in a future in ethical hacking.

The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and DeceiversBy Kevin D. Mitnick

Although presented through a fictionalized view, Kevin Mitnick adds in his expert hacking experience to present real scenarios in hacking. His book dives into what hacking looks like from both sides of the fence—and how the victims could have prevented the hacks.

Average day of a cyber security professional

What does a day look like for a cyber security professional? While it can vary depending on your specialization, here’s what your typical cyber security professional may do on any given day:

Reviewing security standards

A good amount of time for a cyber security professional might consist of reviewing security standards and setup. This could involve reviewing any incident reports as well and checking networks for suspicious-looking activity.

Reviewing security architecture

If everything looks good on the security front, cyber security professionals may spend a good amount of their day reviewing the established architecture. This may include looking for places where the current architecture is vulnerable and reviewing mitigation strategies.

Constant analysis

One of the key jobs of a cyber security professional is understanding what a threat actually looks like before, during, and after it has occurred. You may hear about times when companies have suffered security breaches that they did not discover for days, weeks, or even months. This may happen when the professionals they’ve hired have failed to fully recognize the incidents that exist. A large part of the job for a cyber security professional is staying on top of the type of threats that can occur, what these look like, and knowing how to put a stop to them as they happen.

Regular testing

As cyber security professionals are often called upon to “think like a hacker,” this also means putting their own systems to the test. Security professionals may spend some time looking for flaws by trying to break through their own secure networks and then working to solve vulnerabilities as they’re discovered.

There is no real 9 to 5

A security professional’s duties rarely fit nicely into a 9-5 schedule. As cyber threats can occur at any time day or night, security professionals are often called on to work at all hours. Many companies will hire multiple professionals to work at different hours, in fact, so as to create a 24-hour security workforce.

3 thoughts on “Finding your first job in cyber security: A guide for computer science and technology graduates”

I am a career changer in DC. I received my Master’s of Cyber security May 2017 from Norfolk State University with A- GPA. I had an internship at the Whitehouse for 6 months. I am having difficulties securing a job in cyber security because I’am being told I don’t have enough experience or under qualified according to the responses i’ve have received from perspective employers. I have transferable skills in auditing, communication, program management, access control, collaborating with stakeholder, team leadership and database development management. I had an offer commitment but never heard back from the recruiter after giving my salary requirements. I’m constantly networking (conferences, protege/mentor, cybersecurity association and linkedin. I’m working on my security plus certification, to make me more marketable. I don’t understand if there is a shortage of cybersecurity workers why I’m not getting offers for employment. It appears employers are focusing on certification and aren’t interested in my MS Cybersecurity degree. How can I get the experience if a company doesn’t hire me. I would like to know what I need to do differently.

That’s really difficult to read! I’m sorry you’ve been having such a hard time. It sounds like you’re doing everything right. How far around are you searching for cybersec jobs? Are you looking outside of where you currently live and exploring out-of-state? The certifications will almost certainly work in your favor as well.

Sorry Haven’t replied in almost a year. I have continue in my original career filed. I have a mentor know and applying to other jobs. I have been offered help desk jobs at 18 hours which is a 70% pay cut. I have a Security+ certificate and it has not opened on door so I’m hesitant to obtain my CISSP. I own my home in DC so relocation is not an option. Need less to say I’m not employed in the Cybersecurity Field and this degree is waste of time and money